The etcd data role allows to query, encrypt or decrypt etcd data using the supported encryption types.
By default etcd data is not encrypted in OpenShift Container Platform. This role takes care of encrypting/decrypting etcd data.
More info is available at Encrypting etcd data OpenShift Documentation
[!WARNING]:
- The etcd encryption might affect the memory consumption of a few resources.
- You might notice a transient affect on backup performance because the leader must serve the backup.
- A disk I/O can affect the node that receives the backup state.
A valid KUBECONFIG env variable pointing to a kubeconfig file.
| Variable | Default | Required | Description |
|---|---|---|---|
| ed_action | query | No | Action to perform to etcd data (encrypt, decrypt, or query). |
| ed_enc | aesgcm | No | Encryption type to use (aesgcm or aescbc). |
| ed_force | false | No | Whether or not force the encrypt or decrypt action. |
Note
aesgcm is supported only in OCP 4.13 and above. aescbc is the only type supported in OCP 4.12.
- AES-CBC (aescbc) - Uses AES-CBC with PKCS#7 padding and a 32 byte key to perform the encryption.
- AES-GCM (aesgcm) - Uses AES-GCM with a random nonce and a 32 byte key to perform the encryption.
Note
The encryption keys are rotated weekly.
ed_result: The state of the etcd data,encryptedorunencryptedand its type of encryption, when encrypted.
Examples:
- Encrypted:
ed_result:
status: encrypted
type: aesgcm- Unencrypted:
ed_result:
status: unencrypted- Query the etcd data in an OCP cluster
- name: Query etcd data
ansible.builtin.include_role:
name: redhatci.ocp.etcd_data
vars:
ed_action: query
- name: Print etcd data status
debug:
var: ed_result- Encrypts the etcd data in an OCP 4.12 cluster
- name: Encrypt etcd
ansible.builtin.include_role:
name: redhatci.ocp.etcd_data
vars:
ed_action: encrypt
ed_enc: aescbc- Decrypts the etcd data in an OCP cluster
- name: Encrypt etcd
ansible.builtin.include_role:
name: redhatci.ocp.etcd_data
vars:
ed_action: decrypt